CCNA Wireless
Waves, Frequencies, and RF
Waves – Wireless starts and ends with waves, specifically
radio waves. There are different modulation techniques to encode data onto a
carrier wave signal. These techniques differ between the 3 (now 4 with N)
flavors of wireless, A, B, and G. DSSS (Direct Sequence Spread Spectrum)
is the modulation technique used by 802.11b, which uses “chipping codes” to
send redundant data to allow for interference. OFDM (Orthogonal Frequency
Division Multiplexing) is the modulation technique used by 802.11a and
802.11g. This technique divides a channel into multiple subcarriers, similar to
how a T1 is divided up. Data is sent simultaneously over these subchannels to
achieve redundancy and a combined higher data rate. MIMO (Multiple-Input
Multiple-Output) is the modulation technique used by 802.11n and allows a
device to use more than 1 antenna for sending data and 1 antenna for receiving
data. This is the main thing that helps N products achieve such higher data
rates than a and b/g, along with many other advances in how signals are
processed.
Frequencies – All wireless devices use unlicensed frequencies, meaning
that you do not have to apply for a license from the FCC to use them and they
are subject to interference from other devices. Within the frequencies assigned
to a and b/g there are also “channels,” which are the portion of the frequency
that an individual device can use. This is less important for 802.11a devices as
AP’s using 802.11a will automatically sense and choose a channel that is less
likely to conflict with the AP’s around it. A also has a lot more
non-overlapping channels to choose from – 23 within the 5GHz range of
802.11a. 802.11b only has 3 non-overlapping channels to choose from within
the 2.4Ghz range 802.11b uses. If 2 AP’s next to each other are
transmitting at on the same channel, the signal to noise ratio will rise and
the bandwidth available will decrease.
RF – Radio Frequency waves behave like light waves or
any other waves. They are subject to many issues that can degrade performance
of a wireless network. Surveying before deploying a network and periodically
helps mitigate these issues. Absorbtion describes how waves are blocked
by walls or dampened by carpet. This is similar to how sound waves are
absorbed. Scattering is how waves are reflected by something in the air,
like heavy rain. Refraction describes how a wave’s path is altered by
passing through something, such as think glass. This is similar to what happens
to light waves as they pass through a prism. Reflection describes how
waves bounce off of shiny or reflective objects, which can cause more noise as
wireless frames arrive out of order, causing a “multipath issue” where signals
can become out of phase and cancel each other out. Line of Sight can
become an issue in wireless WAN deployments as the curvature of the earth
itself can become an obstacle, making taller towers necessary. Signal-to-Noise
Ratio is a measurement of how strong a signal is compared to all the
surrounding noise. This can be helpful when diagnosing issues with RF coverage
or deciding how to place AP’s.
Topologies
WPAN, WLAN, WMAN, and WWAN – A WPAN (Wireless
Personal Area network) is limited to 20ft and is primarily for peripheral
devices (mice, Bluetooth devices, etc), operates on the unlicensed 2.4GHz
spectrum and is generally limited to 8 active devices. It can also be called a
“piconet.” A WLAN (Wireless Local Area Network) operates on the 2.4 or 5
GHz spectrum, spans about 100 meters from AP to client, and is more flexible to
allow more than 8 devices. WLANs and their clients are dual-band, supporting
different transmission methods in different areas. A WMAN (Wireless
Metropolitan Area Network) is slower than a WLAN, but covers more distance with
speeds closer to broadband. Also includes WiMAX. Speeds decrease with distance.
A WWAN (Wireless Wide Area Network) is essentially a wireless WAN
connection with low rates, high cost and a licensed frequency.
802.11 Topologies – Originally, there were 2
modes for 802.11 networks – Ad Hoc and Infrastructure. Ad hoc networks
are made by wireless clients without a central device controlling them, like an
AP. These are also called IBSS (Independent Basic Service Set) and are
frowned upon for enterprise use for a number of issues, many of them security
related. Network Infrastructure Mode is the one most commonly used in
enterprises. When there is only 1 AP, it is called a BSA or Basic
Service Area or wireless cell, if more than 1 AP is connected, then it is
called a ESA or Extended Service Area.
SSID’s – Service Set Identifiers (SSIDs) are mapped to a
MAC address on the AP that you are connecting to. The MAC address can be the
MAC address of the wireless radio on the AP or a virtual one it generates. If
an AP has only 1 SSID, it is called a BSSID or Basic Service Set
Identifier. If an AP has more than one SSID, it is called a MBSSID (Multiple
Basic Service Set Identifier.
Bridges – Cisco offers 2 types of
workgroup bridges, which help extend a wired network to an area you can’t run
cable to. They are point-to-point wireless connections. Autonomous Workgroup
Bridge (aWGB) and Universal Workgroup Bridge (uWGB).
Repeaters – A repeater extends the
reach of a WLAN and does not require a wired connection. Regular Cisco AP’s can
act as repeaters, but there is a performance hit with each hop.
Outdoor Wireless Bridges – These
connect wired LANs together in either a point-to-point connection or
point-to-multipoint connection, like from building to building. Aironet 1300
bridges and Aironet 1400 bridges can do this. A 1300 series will also connect
clients and uses the 2.4 GHz range. The 1400 uses the 5 GHz range.
Outdoor Mesh Networks – This allows a bunch of
AP’s to form a mesh network. Requires controllers.
Antennas
Polarization – RF waves are
electro-magnetic waves, so like a magnet, they have polarization. This is a
bigger issue for outdoor deployments than indoor, but is one of the reasons to
be careful how you position an antenna.
Diversity – The use of 2 antennas for
each radio to increase the odds of getting a good signal.
Antenna Types:
Omnidirectional – Across the Horizontal
plane or Azimuth, the signal spreads fairly evenly. In the veritical plane or
Elevation plane, signal propagates mainly downward, meaning that an AP on the
ceiling will not bleed so much to the floor above. These are generally the most
common.
2.2-dBi Dipole – Similar propagation to
an omnidirectional, but with a doughnut shape in that on the Elevation plane there
are some gaps in the middle. These look like short plastic poles and usually
have a hinge where they can be bent.
Directional Antennas – Give more control over
RF propagation, such as parabolic dishes and on walls.
8.5-dBi Patch, Wall Mount – Most signal
is focused forward, with a little allowed to bleed back.
13.5 Yagi Antenna – Very directed, focused
RF pattern, such as a straight shot down a hallway.
21-dBi Parabolic Dish – Very, very narrow
path…must be calibrated correctly. Most allow you to change polarity to make
them easier to mount.
Antenna Connectors and Hardware:
Attenuators – reduces signal between
the radio and antenna to comply with FCC regs.
Amplifiers – Adds gain to strengthen a
signal between the AP and antenna.
Lightning Arrestors – Prevents surges from
lightning strikes from traveling from an antenna to a LAN and damaging
equipment. Does not stop direct strikes.
802.11 Protocols
Original 802.11 Protocol – RF tech:
FHSS (Frequency Hopping Spread Spectrum) and DSSS (Direct Sequence Spread
Spectrum), Coding: Barker 11, Not used today because it only yields 1 to 2
Mbps.
802.11b Protocol – RF tech: DSSS, 2.4GHz
spectrum, Coding: Barker 11 and CCK (Complementary Code Keying), Modulation:
DQPSK (Differential Quadrature Phase-Shift Keying). Gives data rates of
1,2,5.5, and 11 Mbps and has 3 non-overlapping channels of 1, 6, 11. Backwards
compatible with original 802.11.
802.11g Protocol – RF tech: DSSS and OFDM
(Orthogonal Frequency Division Multiplexing), 2.4 GHz spectrum, Coding: Barker
11 and CCK, Data rates of 1, 2, 5.5, 11 Mbps with DSSS and 6, 9, 12, 18, 24,
36, 48, and 54 Mbps with OFDM and has the same 3 non-overlapping channels as b.
Backwards compatible with original 802.11 and b.
802.11a Protocol – Not compatible with
original 802.11, b, or g. uses 5GHz spectrum, RF tech: OFDM, Coding:
Convolution Coding, Modulation: BPSK, QPSK, and 16 or 64-QAM. Data Rates are 6,
9, 12, 18, 24, 36, 48, and 54 Mbps with OFDM. Multiple non-overlapping channels
– AP’s automatically choose a channel not in use by adjacent AP’s.
802.11n Protocol – Backward compatible with
ALL 802.11 protocols. Uses MIMO (Multiple-Input, Multiple-Output) to achieve
higher data rates even for a, b, and g clients, Less harmed by interference and
reflection. Up to 32 data rates.
Wireless Frame Transmission
Frame Types:
Management Frames – Used for association and
anything else to do with leaving or joining a BSA.
Control Frames – ACK’s for when data
frames are received.
Data Frames – Duh…they contain data.
Sending Frames:
Wireless LANs use CSMA/CA (Carrier Sense Multiple Access Collision
Avoidance). This means they listen to the network and wait a designated time
before attempting to send data. This period is called the IFS (Interframe
Space) and can vary according to the type of client or data.
SIFS (Short Interframe Space) – Higher
priority. Used for ACKs and others
PIFS (Point-coordination Interframe Space) – Used when
an AP is going to control the network
DIFS (Distributed-coordination Interframe Space) – The normal
spacing between frames. Used for data frames.
A client starts counting down a random timer. If it hears nothing during that
timer, it sends frames. If it does, it adds 45 to it’s current count and
continues counting down until it hears nothing, then sends. The total time it
has to wait is called a Contention Window.
Wireless Frame Headers:
A Wireless Frame Header can have up to 3 MAC addresses in it. The Source
and Destination MAC addresses and a BSSID, which is also a MAC address.
Wireless frames are larger than Ethernet frames and often have to be fragmented
before bridged to the wired network.
RTS/CTS – If a AP is controlling
the network, the client will send a RTS or “Request to Send” to see if it is
allowed to take a turn sending frames. If it is, the AP will respond with a CTS
or “Clear To Send” response telling the client to proceed.
Other Wireless and How They Mess Your WLAN Up!
Cordless Phones – Not too common anymore,
but they do interfere with wireless since they operate either at 2.4GHz or
5.8GHz. They use TDMA (Time Division Multiple Access) or FDMA (Frequency
Division Multiple Access) to allow several devices to use the same frequency at
the same time on different “channels.”
Bluetooth – Interfers with b/g WLANs
as it operates at 2.4GHz, but has limited range. Uses FHSS (Frequency Hopping
Spread Spectrum) so it will jump to a different frequency within that range to
minimize interference. Considered a piconet or WPAN. Connects multiple slave
devices to one master device for its topology.
ZigBee – Another WPAN technology, mostly used for
monitoring devices. Has a funky topology with stars and clusters with some full
function devices and some coordinators or reduced function devices.
WiMAX – Doesn’t interfere with WLAN’s, but is basically a
wireless broadband solution for WAN links to the internet.
Other Culprits of Interference – Leaky
Microwaves (huge problem in real life!), Wireless X11 cameras, Radar Systems, Motion
Sensors, Fluorescent Lighting, Game Controllers and adapters.
How Packets Get To and From a Wireless Network From
a Wired Network
Association – A client either passively
scans a network to see what SSID’s are being broadcast by a beacon from the AP
or actively scans sending a probe request for a specific SSID that may or may
not be being broadcast. If the client hears a beacon or receives a probe
response, the client sends an authentication request to the AP for the desired
SSID. The AP should respond with an authentication response. If this is
successful, the client sends an association request that includes client info
like data rates and the AP responds with an association response that contains
the AP’s info like data rates. The client chooses a data rate based on the RSSI
(Received Signal Strength Indicator) and the SNR (Signal-to-Noise Ratio). The
client is now associated.
Sending to a Host on Another Subnet – 1. Client
decides to send traffic to another host. 2. Client determines that the other host
is not on their subnet. 3. Client decides to send the traffic to its default
gateway. 4. Client looks up gateway in ARP, but it’s not there. 5. Client sends
an ARP request to the AP for the gateway. 6. The AP sends the ARP request to
its controller using the LWAPP (Lightweight Wireless Access Point Protocol)
across the wired network, encapsulating it into a 6 byte header for the trip.
7. The Controller opens the LWAPP frame and reads the ARP request and rewrites
the ARP request into an Ethernet frame and sends that across the wired network
as a broadcast. All the switches that receive this broadcast flood it out all
ports except the one it was received on. 8. A layer 3 device receives the ARP
request broadcast and responds with a unicast ARP response which is received by
the WLAN controller. 9. The controller rewrites the Ethernet frame into a
802.11 frame and adds a LWAPP header and sends it to the AP. 10. The AP removes
the LWAPP header and exposes the 802.11 frame which contains the ARP response.
11. The AP buffers the frame and starts a backoff timer and goes through the
usual process of waiting for a free moment to send. It then sends the frame to
the client.
Vlans – In order for multiple SSID’s to be able to be
used on an AP, a logical Vlan must be assigned to the SSID, which allows
different SSID’s to have different subnets. APs using multiple Vlans and SSID’s
need to have trunk ports between them and the switch they are connected to.
Configuring Vlan’s is covered in the CCNA, but suffice it to say an SSID is
mapped to one logical subnet and one logical Vlan.
Cisco Unified Wireless LANs
CUWN (Cisco Unified Wireless LAN) – Cisco’s
Lightweight wireless infrastructure which moves some tasks from the Access
Point (AP) to the Wireless LAN Controller (WLC) using what they call the “Split
MAC Architecture.” AP’s send information to and from the WLC using LWAPP
(Lightweight Wireless Access Point Protocol) and the WLC can make decisions
boosting or weakening AP signal strength to provide better coverage, boosting
the power of AP’s around an AP that has failed, containing rogue AP’s, etc. A
WLC can manage from 6-300 AP’s. WCS (Wireless Control System) can then control
multiple controllers.
Cisco Controllers and AP’s:
The AP Handles – Frame exchange,
beaconing, buffering and transmitting frames, responds to probe requests,
forwards notifications of receive probe requests to WLC, provides RRM (Radio
Resource Management) information regarding quality to WLC, monitors all
channels for noise and interference.
The WLC handles – Association,
Reassociation when roaming occurs, Authentication, Frame Translation and
Bridging.
LWAPP Modes:
Layer 2 LWAPP Mode – Being deprecated by
Cisco. WLC has to be in the same subnet as the AP’s it controls.
Layer 3 LWAPP – Cisco’s preferred mode.
LWAPP travels across subnets and the WLC can be in a different subnet than the
AP’s.
Multiple Networks
WLC’s can support up to 512 Vlan’s. All data regardless of the SSID/Vlan is
sent in 1 tunnel from the AP to the WLC via LWAPP. The WLC can only have 16
SSID’s per each AP, though.
CUWN Architecture
Clients – Aironet Client Devices,
Cisco-compatible client devices, Cisco Secure Services Client
AP’s:
1130AG – Can operate as autonomous or lightweight and
H-REAP (Hybrid Remote Edge AP). Designed for Indoor use. Supports 802.11a/b/g
1240AG – Has same features as
1130’s but only uses external antennas.
1250 Series – Supports 802.11a/b/g/n.
Designed for rugged environments, uses 2×3 MIMO technology with external
antennas.
1300 Series AP/Bridge – Outdoor AP or Bridge.
Does not have a 5GHz radio, so only supports 802.11b/g. Can be purchased with
integrated antennas or connectors for external antennas. Has a special power
supply.
1400 Wireless Bridge – Can only operate as a
bridge and cannot connect clients. Does not support LWAPP and is autonomous
only. Designed for outdoor environments and can be purchased with an internal
antenna or connectors for an external antenna. Supports 802.11a/b/g.
WLC’s:
4400 Series WLC – Supports 12, 25, 50, or
100 AP’s depending on model. Can support up to 5,000 MAC addresses in database.
AP and controller must run the same code version, but the controller will
upgrade or downgrade the AP.
3750-G WLC – A WLC integrated into a
small switch with the swich and WLC sharing a backplace. Saves space and ports.
Cisco WiSM (Wireless Services Module) – Blade that
installs in a 6500 or 7600 chassis, sharing a backplane. WiSM supports up to
300 Ap’s or 150 AP’s per controller with each blade having 2 controllers.
Allows clustering of AP’s into a mobility domain.
Cisco 2106 WLC – Same form factor as ASA
5505’s. Small branch controller with 2 PoE switchports. Supports up to 6 AP’s.
Cisco WLCM – Another small branch
controller designed to be added to an ISR router as a module. Supports 8 or 12
Ap’s, depending on model.
WCS Flavors
Runs on Windows or Linux Red Hat servers. Manages up to 3,000
lightweight AP’s and 1250 Autonomous AP’s. If you add WCS Navigator, it scales
above 3,000 AP’s by letting you navigate between several WCS servers. Also
works with Wireless Location Application to track RFID tags.
Controller Discovery and Association
LWAPP Layer 2 Transport Mode – Again, not
preferred by Cisco, AP and WLC must be on the same Subnet. All LWAPP
communication is in Ethernet encapsulated frames, not IP packets.
LWAPP Layer 3 Transport Mode – Preferred
due to scalability. Frames are encapsulated in UDP. You need to make sure any
firewalls between the AP’s and the controller allow UDP port 12222 for LWAPP
data messages and UDP port 12223 for LWAPP control messages. A 1500 MTU is
assumed, but can be changed.
LWAPP AP Controller Discovery
1. Discovery Mode – An AP boots and enters
Discovery Mode. It sends a layer 2 broadcast Discovery Request message. If this
fails (unless we have a LWAPP layer 2 transport mode in use, it will), it goes
to step 2.
2. The AP moves to layer 3 by checking its config
for an IP address. If it doesn’t have one, it uses Dhcp to get one.
3. The AP gets an IP address from the dhcp server.
If the dhcp server has DHCP option 43 configured to give the AP an IP address
for a controller, the AP now uses that to try to contact one.
4. If no IP address for a WLC was configured on the
dhcp server and no WLC has responded to the layer 2 Discovery Request
broadcast, the AP reverts back to layer2 broadcasts and tries again.
IOS-Based AP’s only do a Layer 3 Discovery, as
Follows:
1. AP does a subnet broadcast to see if a controller
is operating in Layer 3 mode on its subnet.
2. The AP does an OTAP (Over-the-air-Provisioning)
3. When other AP’s exist and are in a joined state
with a WLC, they send messages to the WLC that have the IP address of the controller
in them. The AP that is trying to discover the WLC can overhear these and get
the WLC IP address from them and send a directed Discovery Message to it.
4. After an AP has associated with at least 1 WLC,
the AP gets a list of other controllers from the WLC that it can associate
with. This gets stored in NVRAM and can be used to skip straight to a directed
Discovery Message the next time the AP reboots. This is called AP Priming.
***You can also use DNS to set an entry for CISCO-LWAPP-Controller for
the IP address of a WLC management interface. The AP can use this address to
send a unicast query.
Choosing a Controller
1. The AP chooses the primary controller if it has
been primed.
2. The AP chooses the secondary controller, then the
tertiary controller if it has been primed.
3. If no information is available, it looks for a
master controller. Each mobility group should have 1.
4. If all the above fail, the AP looks for the
least-loaded AP-Manager interface based on the number of AP’s being managed.
5. The AP sends the WLC it has chosen a Join
Message. The WLC should respond with a Join Reply message which includes the
result code, allowing them to talk, it’s certificate, and a test payload to see
if jumbo frames will work. This completes the Join Request Phase.
Receiving a Configuration
If the AP is not running the correct software version, the controller
upgrades or downgrades it at this point. If this is necessary, the AP reboots
and discovers and rejoins the WLC. Once the software versions match, the AP
prompts the WLC for a config by sending a LWAPP config request message that
contains what is already set and what can be configured. When the WLC gets this
request, it send a configure response message with the values. The AP applies
the config in RAM…it is never stored in flash as on an autonomous AP.
Redundancy for APs and WLC’s
N+1 – Provides a single backup for multiple
controllers. This strategy fails if more than 1 controller goes down.
N+N – Each Controller backs up another controller .
Load balancing is important here.
N+N+1 – Most redundant design with every controller
acting as a backup to another and an extra backup designated as the tertiary.
$$$
AP Modes
Local Mode – usual AP mode serving
clients. Can also be used for site surveys
Monitor Mode – Passive and cannot send
traffic or associate clients. Used for finding rogue AP’s, troubleshooting,
surveying, or IDS matches. Can be used with location appliance to increase
accuracy.
Sniffer Mode – Cannot send traffic or
associate clients. Works with 3rd party sniffer software to capture data for
troubleshooting and forensics.
Rogue Detection Mode – Radios are turned off
and cannot associate clients or send traffic. Listens for ARP messages on the
wired network and sends information about rogue AP and client MAC list to
controller for controller to issue alarms.
H-REAP Mode – Allows you to have
lightweight AP’s across a WAN link from their controller. Link must be faster
than 128kbps and latency must be less than 100ms roundtrip. Connected mode
means the AP can reach the controller. If the WAN link fails, the AP goes into
Standalone mode and all client requests are serviced based on a config that is
local to the AP (basically, it reverts back to autonomous).
Bridge Mode – Allow point-to-point or
multi-point links. Mainly used in Mesh networks.
Roaming…no Buffalo…just Roaming
Mobility Groups – A group of controllers
that share information about clients that are roaming. Think a group of
controllers in one building on a campus. A client does not need to reassociate
when moving between AP’s on different controllers in a mobility group and keeps
the same IP even if the AP it roams to is in a different subnet.
Mobility Domain – A group of mobility
groups or controllers in different mobility groups that share information
regarding their clients. Think of two buildings connected in a campus…this
might be 2 different mobility groups, but 1 mobility domain. Users roaming
between AP’s on different controllers in different mobility groups that are in
the same mobility domain do not need to reassociate, but they do have to get a
new IP address. Users who roam from an AP on a controller in one mobility
domain to a controller in a completely different mobility domain do have to
reassociate completely as if connecting for the first time and will lose
connection.
Roaming Requirements – All controllers have to
be in the same mobility domain. All WLC’s must be on the same code version. All
WLC’s have to operate in the same LWAPP mode. ACL’s (Access Control Lists) in
the network must be the same. The SSID must be the same.
Layer 2 Versus Layer 3 Roaming – Layer 2
roaming takes place when a client roams from 1 AP to another that are both in
the same network and the client keeps the same IP address. Layer 3 roaming
happens when a client roams from one AP on one subnet to another AP on a
completely different subnet where both AP’s have the same SSID. The client
keeps the same IP address in both cases and no data is lost as they roam.
Asymmetric Tunneling – Traffic from the client
is routed to the destination, regardless of its source address, and the new
traffic is sent to its original controller, called and anchor and is tunneled
to the new controller.
Symmetric Tunneling – All traffic is tunneled
from the client to the anchor controller, sent to the destination, returned to
the anchor controller, and then tunneled back to the client via the foreign
controller.
Mobility Anchors – Also called guest tunneling
or anchor mobility. All the traffic that belongs to a WLAN is tunneled to a
predefined WLC or set of WLC’s. This is particularly good to anchor guest
devices to a WLC in the DMZ for security. This is done on a per WLAN (SSID)
basis.
Controller Terminology
WLAN = SSID and all its parameters
Port – Ties together a VLAN and SSIDs.
Static Interfaces:
Management Interface – The “IP Address” of the
controller. AP’s use this IP to discover the controller and mobility groups
exchange information using it.
AP Manager Interface – This address is the
source address for LWAPP communication between the WLC and the AP. It has to be
unique, but can be in the same subnet as the management address.
Virtual Interface – Controls the Layer 3
security and mobility manager communications for all the physical ports of the
WLC. This interface also has the DNS gateway hostname used by Layer 3 security
and mobility managers to verify certificates. If you configure users to have to
log in to a web page to authenticate to use the network (like for guest
access), this is the IP address they will be redirected to.
Service Port – Out of Band management,
system recovery, and maintenance purposes. This is the only port on the
controller that is active in boot mode. It does not auto-sense.
Migrating Standalone (Autonomous) AP’s to LWAPP
The IOS to LWAPP Conversion Utility – Software
that runs in windows. Will upgrade Ap’s running version 12.3(7)JA or above for
WLC’s running version 3.1 or later. Uses a .txt file with information about the
AP’s you wish to upgrade and a tftp server to send image files to them.
Cisco Mobility Express
Small Business Communication System – Designed
to be able to grow with a small business, the hardware does not work with their
enterprise systems. Allows for the management advantages fo the CUWN without as
much cost or equipment. Only supports growth up to 12 AP’s total.
Includes:
Cisco Unified Communication 500 Series for Small
Businesses – Long name,
but it includes a dhcp server and can support up to 48 users.
Cisco Unified IP Phones
Cisco Monitor Director
Cisco Mobility Solution, Including:
Cisco 526 Wireless Express Controller – Each
controller can support up to 6 AP’s with 2 controllers supported. Provides
guest access, Voice-over-WLAN, LWAPP, Same authentication architectures as
enterprise, wired/wireless network virtualization, and management with CCA.
(Cisco Configuration Assistant).
Cisco 521 Wireless Express Access Point – Can only
communicate with the 526 Wireless Express Controller, so it cannot be used in
an enterprise environment, only supports 802.11b/g, otherwise similar to 1130AG
AP’s.
Wireless Clients
Microsoft Windows Zero Configuration Utility (WZC) – Probably
the least preferred, least secure, and most troublesome way to connect. This
one is fairly familiar to anyone who has set up a windows PC for wireless. A
major security hole is that, if unable to join a broadcasting network, it will
automatically attempt to create its own ad hoc network and allow others to
connect to it, in the background, with no notification to the user that this is
happening. It will also automatically connect to any ad hoc network it finds if
it cannot connect to an infrastructure network.
Apple AirPort Extreme – This GUI is actually
pretty nice, with very intuitive settings. No glaringly obvious security holes.
Linux NetworkManager – GUI tool available in
many different Linux distros…similar to tools for Macs and PC’s and not tested
for the CCNA-Wireless
Cisco Aironet Desktop Utility (ADU) – Cisco
offers cardbus and PCI card WLAN NICs and this is the utility used to manage
them on a PC. It also has a utility for the system tray called the Aironet
System Tray Utility. It’s better than the WZC, but I prefer other utilities
when I have the chance. A few advantages it has though are the ability to give
a SNR (Signal-to-Noise Ratio) reading from the client and the ability to do
basic site surveying with it. You can use the Aironet Configuration
Administration Utility (ACAU) to automate the creation of client profiles
if you have a lot of these cards in your enterprise.
Cisco Secure Services Client (SSC) – Cisco’s
alternative to the WZC for those with Wireless NICs from other vendors.
Requires a license for the client and has a utility as well to create client
profiles for distribution called the SSCAU (Secure Services Client
Administration Utility).
CCX (Cisco Client Extension) Program – basically certifies
that devices will work with Cisco AP’s and infrastructure. On the AP side,
using all CCX compatible clients means the AP can change some settings on the
client side and gives you more control over how they connect.
Wireless Security
Threats Unique to WLAN’s:
Ad Hoc Networks – This allows 2 or more
clients to connect to each other bypassing corporate security policies. An
attacker could form an ad hoc network and trick users to connect to that
network and steal data or use their connection to the corporate network as a
way to then gain access.
Rogue AP’s – An AP outside the
corporate infrastructure that could be friendly or malicious. You have to track
them down to determine if they are just a neighboring office building’s network
or something that has been brought in from home, or part of a malicious attack.
Attackers try to get users to connect to the rogue and gain access or steal
data from them. A user may unwittingly attach an AP to the corporate network,
allowing an attacker to bypass corporate security policies and gain access to
the network.
Client Misassociation – An attacker spoofs the
SSID of a network a client device has already connected to and the client
utilities use the cached information about that SSID to automatically connect
to the spoofed SSID, sometimes without the client’s knowledge. This can be done
by sending false beacon messages or management frame spoofing.
Management Frame Protection (MFP) – This helps
prevent a client misassociation attack. Each management frame gets a MIC
(Message Integrity Check) added to it before the FCS (Frame Check Sequence).
Each WLAN (SSID) gets a unique key sent to each radio on the AP. If anyone
tries to spoof the frames or mess with the contents and does not have this key,
it invalidates the message. Client MFP can be used with CCX (Cisco Compatible
Extensions) 5 or better on the client. Here the client can talk to the AP and
find out what the MIC is and it can also verify that the management frames it
receives match this MIC. This will also keep a neighboring AP from attacking
your network with deauthentication messages (essentially trying to contain your
AP as if it were a rogue) since clients will know that these deauth messages
did not come from your AP.
Attacks Used on Both Wired and Wireless Networks:
Reconnaissance Attacks – An attacker tries to
gain info about your network (port scanning, etc.)
Access Attacks – An attacker tries to get
access to data, devices, or the network. (Includes trying to crack pre-shared
keys, etc.)
DoS (Denial of Service) Attacks – An
attacker tries to prevent users from getting services they need. An example
might be someone putting AP’s at the edge of your property and then trying to
contain your AP’s as if they were rogues.
Authentication Schemes:
Open – Suitable only for guest access to a network.
Pretty much no authentication. These users should only be given internet
access.
PSK (Pre-shared Key) with WEP (Wired Equivalent
Privacy) – Actually
considered less secure than Open authentication. Keys are easily broken and
then the attacker has access. Uses RC4 encryption method, which is weak. Key
sizes are 40bit, 104bit, and 128bit, but Windows will not support the 128 bit.
All sizes are easily cracked. MAC Address filtering helps little because MACs
are easily spoofed.
EAP (Extensible Authentication Protocol)/ 802.1x – Much
better authentication and encryption. This has a 3-way handshake to
authenticate and requires an external AAA server (Radius).
EAP-TLS – Requires PKI (Public Key
Infrastructure) certificates on the supplicant (client) and the authentication
server. Considered most secure and an encrypted tunnel protects the user
certificate.
EAP-FAST – Does not require PKI
certificates, but uses a strong shared secret key called a PAC (Protected
Access Credential) that is unique on every client. Is considered the successor
to Cisco LEAP (Lightweight Extensible Authentication Protocol).
PEAP(Protected EAP) – Only a server-side
certificate is needed, which is used to create an encrypted tunnel where the
real authentication takes place. PEAP uses MS-CHAPv2 or GTC (Generic Token
Card) to authenticate users
LEAP – Vulnerable to an offline exploit, being
deprecated.
Encryption Methods:
WPA – Uses TKIP (Temporal Key Integrity Protocol) to
automatically change keys. Can support AES (Advanced Encryption Standard)
optionally. Uses stronger encryption (TKIP vs. RC4) than WEP and a larger IV
(initialization vector). 2 Modes offered – Enterprise mode (requires a Radius
server and uses TKIP with AES available) Personal – Uses PSK (preshared keys)
vs. RADIUS, so it is weaker, but more friendly to home environments.
WPA2 – Mandates AES, TKIP is not available. Only allows
the AES/CCMP (Advanced Encryption Standard-Cipher Block Chaining Message
Authentication Code Protocol) version of AES. Key Management allows keys to be
cached to allow for faster connections. Considered best.
WCS (Wireless Control System)
WCS Requirements:
Linux – Will support 3,000 AP’s and 250 Controllers with
Red Hat ES/AS Linux Release 4 or better, Intel Xeon Quad 3.15-GHz CPU or
better, and 8Gig RAM or better, and a 200Gig HD.
Windows – Will support 2,000 AP’s
and 150 controllers with Windows Server 2003 or better, Pentium 4/2.06 GHz or
better, 2G RAM, and a 30G HD or better.
Licenses – There are 2 license
options here – Base and Base with Location which allows you to use a Location
appliance for RFID tag tracking.
Features:
Templates – Allow for faster, more uniform
configuration of controllers
Auto Provisioning – Allows a new,
unconfigured controller to automatically grab a configuration from the WCS
server.
Heat Maps – Can be used for a basic
RF prediction (Not always as accurate as a site survey), and once deployed,
show real-time RF info and location and status of AP’s.
